anonymisation / de-identification / GDPR / Omnibus

On Pancakes, Paper Pudding, and the Draft Digital Omnibus: What Happens Next?

Posted on by Leave a comment

I thought I was done with blogging. Yet if the leaked digital Omnibus achieved anything positive, it was to bring me back to joyful collage… which is worth explaining. As for what comes next, we’ll have to wait, and make time, to search for antidotes.

This post is about pancakes and paper pudding, and how these culinary artefacts shed light on the work the European Commission has been doing over the past few months. (When we can no longer discuss politics and the public interest civilly, we are left with what’s on our plate…)

Richard Foreman uses a powerful metaphor, i.e., the pancake, to illustrate how information technology, the medium (even before the message, i.e., the content), shapes the way we think. (Here’s a link, from one pancake person to another). Spread too wide, and we end up stretched too thin!

Adapting this metaphor to the Brussels Bubble, it seems that a pancake effect is emerging in the way lawmaking is conducted and produced.

Let me explain. The draft Digital Omnibus is presented as a set of technical amendments that supposedly do not require an impact assessment. (Do we even read what we write, I wonder?)

On page 9 of the leaked document, I read:

“The proposed amendments remain technical in their nature, seeking to adjust the regulatory framework but not amend its underlying objectives. The measures are calibrated to preserve the same standard for the protection of fundamental rights.”

Whatever one thinks about the need to modernise the General Data Protection Regulation (GDPR), this statement is troubling. It reflects an inability, or an unwillingness, to grasp the depth of the transformation that is, or could be, unfolding with these amendments.

This can be explained in different ways, I’ll try one.

The definition of personal data is a key parameter for delineating the material scope of EU data protection law. It has been argued several times that it is an unworkable concept because it forces us to think in binary terms. But such arguments miss the point. The real questions are whether the concept prevents us from taming what needs to be tamed, and whether there are ways to set reasonable, even if imperfect, boundaries. The answer to the first question is ‘no’ and the answer to the second question is ‘yes.’ (We can even add ‘ifs’ if you want.)

First, we know how to have a functional definition of personal data and focus on the impact on individuals when profiling and tracking occur, even without access to direct identifiers. The IAB Europe case is a strong example, and there are others. (I’ve tried to explain this here.)

Second, we also know how to set reasonable limits on personal data by considering the legitimacy of secondary use and context-specific controls. The ICO’s guidance on anonymisation and the European Medicines Agency guidance on anonymisation of clinical trial reports are attempts to do just that. The EDPS v SRB judgment can be read in this light (I’ve tried to explain it here).

To say it more even more bluntly, compromises are possible, and they require making an effort to understand how de-identification techniques, particularly statistical disclosure methods, have been developed over the years.

We need a nuanced approach to anonymisation because anonymisation is always a trade-off and pseudonymisation is not just one method (to be complemented by other controls) to reduce re-identification risks; it also facilitates linkability of data points and datasets, and therefore profiling. The EDPB has understood this, as I’ve tried to explain here.

The new redrafting of the definition of personal data in the leaked Omnibus is troubling because it over-simplifies the problem despite claims made about simplicity by design (by the way what does this verbiage really mean?). The redrafting extracts one sentence from EDPS v SRB and seems to present it as the test, ignoring another sentence that adds essential nuance:

“pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable.” [my emphasis].

In other words, by attempting to rewrite the definition of personal data, the leaked Omnibus risks undermining efforts to tame profiling and tracking.

What is meant by profiling? The GDPR has a definition in Article 4(4): “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;”

That profiling and tracking is problematic is understood across the pond, including by the US Federal Trade Commission, which notes in 2024 that hashing does not make data anonymous, and the opacity of an identifier is no excuse.

The potential consequence of the redrafting is significant: the projection of fundamental rights could be impaired. What is at stake here is the integrity of the GDPR edifice. How would the GDPR now compare with other privacy and data protection standards?

I haven’t even touched upon the amendments to the definition of special categories of personal data, the new legal basis for AI training and operation, the restrictions set upon information and access, or the disregard for the foundational role played by data mapping.

Said otherwise, the words I quoted above (about wanting to introduce technical amendments only) are like paper pudding, sweet and appealing in appearance, but disconnected from reality.

So why rewrite the definitions of core concepts when regulatory guidance could achieve a better goal? What’s going on isn’t about cutting red tape. Could it be thin thinking… coupled with a compulsive obsession with innovation?

Thin thinking is revealed in at least two important flaws of the approach. First, if adopted as they stand, the leaked Omnibus amendments to the GDPR are likely to trigger another round of compliance program reassessments, likely wasting valuable resources. Second, these amendments overlook the fact that data access and portability are central to inclusive models of data use and reuse, an objective the leaked Omnibus drafters still appear to be pursuing. And yet, other parts of the omnibus make data access more difficult.

What’s the next twist, tweak or trick?

Just another pancake person

PS: Check the post just before this one, you’ll see that history repeats itself.

Leave a Reply